NISTIR 8286 (Draft)

Integrating Cybersecurity and Enterprise Risk Management (ERM)

Date Published: March 2020
Comments Due: May 20, 2020 (public comment period is CLOSED)
Email Questions to: nistir8286@nist.gov

Planning Note (5/12/2020):

The comment period has been extended to May 20, 2020 (from April 20, 2020).

5/12 Added Supplemental Material: DRAFT OLIR NISTIR 8286 - Draft OLIR mapping for the DRAFT 8286 document


Author(s)

Kevin Stine (NIST), Stephen Quinn (NIST), Gregory Witte (Huntington Ingalls Industries), Karen Scarfone (Scarfone Cybersecurity), Robert Gardner (New World Technology Partners)

Announcement

All enterprises should ensure cybersecurity risk gets the appropriate attention within their enterprise risk management (ERM) programs, which address all types of risk. Individual organizations within an enterprise can improve the cybersecurity risk information they provide as inputs to their enterprise's ERM processes. By doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives.
 
NIST is releasing Draft NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), for public comment. This report promotes greater understanding of the relationship between cybersecurity risk management and ERM, and the benefits of integrating those approaches.

NOTE: A call for patent claims is included on page iv of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Abstract

Keywords

cybersecurity risk management; cybersecurity risk measurement; cybersecurity risk profile; cybersecurity risk register; enterprise risk management (ERM); enterprise risk profile
Control Families

None selected

Documentation

Publication:
NISTIR 8286 (Draft) (DOI)
Local Download

Supplemental Material:
Draft OLIR NISTIR 8286 (xls)

Document History:
03/19/20: NISTIR 8286 (Draft)
07/09/20: NISTIR 8286 (Draft)
10/13/20: NISTIR 8286 (Final)

Topics

Security and Privacy
risk management

Applications
enterprise